CHILLYHELL MacOS Backdoor
Cybersecurity experts have uncovered a fresh malware family targeting Apple's macOS ecosystem. It is described as a modular backdoor dubbed CHILLYHELL, which is raising serious concerns due to its flexibility and advanced persistence methods.
Table of Contents
Origins and Attribution
CHILLYHELL has been linked to an uncategorized threat cluster labeled UNC4487, believed to be active since at least October 2022. Intelligence reports suggest the group is likely an espionage actor. Its operations include compromising websites of Ukrainian government entities and tricking visitors into executing either Matanbuchus or CHILLYHELL malware.
Technical Background
The backdoor is written in C++ and designed to run on Intel-based macOS systems. A newly discovered CHILLYHELL sample, dated May 2, 2025, revealed that the malware had been notarized by Apple in 2021 and publicly hosted on Dropbox since then. Following this discovery, Apple revoked the associated developer certificates.
Infection and Persistence Mechanisms
Once deployed on a victim's system, CHILLYHELL performs extensive host profiling and then establishes persistence using three distinct methods. Afterward, it contacts a hard-coded command-and-control (C2) server over HTTP or DNS and enters a command loop to receive instructions.
The persistence setup involves multiple strategies:
- Installing itself as a LaunchAgent or system LaunchDaemon
- Modifying shell profiles such as .zshrc, .bash_profile, or .profile to insert a launch command
Evasion Through Timestomping
A particularly notable evasion technique is CHILLYHELL's use of timestomping, which alters the timestamps of malicious files to blend in with legitimate system artifacts. If direct system calls are not possible due to insufficient privileges, the malware defaults to shell commands such as:
- touch -c -a -t (for access time modification)
- touch -c -m -t (for modification time adjustment)
Both commands include a backdated timestamp string to avoid suspicion.
Command Capabilities
CHILLYHELL's modular design provides operators with a wide range of functions. Among the supported commands are:
- Launching a reverse shell to the C2 server
- Downloading updated malware versions
- Retrieving and executing additional payloads
- Running the ModuleSUBF module to enumerate user accounts from /etc/passwd
- Performing brute-force attacks using a password list supplied by the C2 server
A Sophisticated macOS Threat
With multiple persistence mechanisms, versatile communication protocols, and a modular framework, CHILLYHELL stands out as an unusually sophisticated macOS malware. Features such as timestomping and password cracking set it apart from typical threats seen in the platform's landscape.
One alarming detail is that the malware was Apple-notarized, proving that not all notarized software is safe. This highlights the need for users and organizations to remain vigilant and not rely solely on code-signing or notarization as indicators of trustworthiness.
